Hi all, I am hopefully going to implement a minor website for gathering survey data for some research I am doing. Due to data privacy and so on, I want to be extra careful about security. First, I didn't understand the security concerns about URLS at http://docs.racket-lang.org/web-server/faq.html, nor its solution (see end of email for the full question which confuses me).
Secondly, do I understand correctly that for a production-ready website, I would use the Racket serve/servlet - or are there other/better servers I would use? I've only used the serve/servlet on my local machine and wouldn't understand the security concerns until I was hacked (and even then...). The question that left me more confused than reassured (primarily because I don't understand what HTTP traffic in the clear is - as opposed to HTTPS?): "10.7. What special considerations are there for security with the Web Server? The biggest problem is that a naive usage of continuations will allow continuations to subvert authentication mechanisms. Typically, all that is necessary to execute a continuation is its URL. Thus, URLs must be as protected as the information in the continuation. Consider if you link to a public site from a private continuation URL: the Referrer field in the new HTTP request will contain the private URL. Furthermore, if your HTTP traffic is in the clear, then these URLs can be easily poached. One solution to this is to use a special cookie as an authenticator. This way, if a URL escapes, it will not be able to be used, unless the cookie is present. For advice about how to do this well, see Dos and Don’ts of Client Authentication on the Web from the MIT Cookie Eaters. Note: It may be considered a great feature that URLs can be shared this way, because delegation is easily built into an application via URLs." Cheers, Marc -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
